Zeus variant 'Maple' targets financial data of Canadian users

A new Zeus variant called “Maple” improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan.

According to Trusteer, an IBM company, criminals have targeted 14 leading financial institutions in Canada with the malware since January. The name “Maple” is a reference to the red maple leaf on the Canadian flag.

On Monday, Dana Tamir, director of enterprise security at Trusteer, wrote about the threat on IBM's Security Intelligence blog.

Among Maple's enhanced features are “re-patching” techniques, which restore web-injection functionalities (for stealing financial data from web browser sessions) even after security solutions detect the malware.

In addition, the Maple variant was designed with anti-debugging features – using a packer written in Visual Basic, a programming language “notoriously complex to debug [that] makes the analysis more difficult,” Tamir's post said.

In order to check the malware in debug mode, researchers are forced to jump through other hoops, Tamir added.

“In addition, to prevent malware researchers from debugging the malware, ZeuS.Maple checks the value of two known Windows flags: PEB!IsDebuggedFlag and PEB!NtGlobalFlags. The code section that checks the flag value seems to be absent at first glance, but ZeuS.Maple unpacks this code section right before it uses it,” she wrote.

In a Wednesday follow up interview with SCMagazine.com, Tamir further explained the anti-debugging features available to saboteurs.

“If [the two Windows flags] are not raised you can't get into debug mode,” Tamir said. “You have to crack that in order to get into a mode that allows you to research the malware. They are putting in hurdles specifically designed to keep malware researchers from looking at what the malware is actually doing.”

While Trusteer did not analyze how Maple was being delivered to Windows users, criminals often opt to spread the banking trojan via drive-by download or phishing emails, Tamir said.

The new Maple variant also takes up other malicious feats, including encrypting its malware configuration (which is stored in the Windows Registry) with AES-128. The malware also attempts to make the malicious executable appear legitimate to security scanners, by obscuring it in a new Windows installation path.

“The ZeuS.Maple variant provides an interesting example of new and improved methods used by malware developers to bypass automated security controls as well as human malware researchers,” Tamir wrote in her blog post.”We expect this trend to continue as we find more sophisticated, stealthy variants of Zeus targeting specific geographical regions.”